摘要
一般對於惡意程式(Malicious Software；Malware)之定義為：任何惡意、未經授權、不符合預期的程式。本研究的目的在於分析網路上惡意程式的活動(意指網路上駭客攻擊的行為)，藉由分析的結果，可以讓資訊安全人員瞭解目前惡意程式的攻擊行為與意圖，並且擬定因應的措施以確保網路安全。
本研究為了收集網路入侵的資料，將入侵偵測系統放置於某企業防火牆之外，讓入侵偵測系統可以蒐集到該企業防火牆對外網路進出的流量，資料分析的期間為2004年12月與2005年3、4、6月共計四個月。本研究對於分析網路上惡意程式的活動，設計了一套分析的流程，主要分為以下四個步驟：(1)入侵偵測系統收集資料，(2)過濾與儲存資料，(3)分割與處理資料，(4)資料分析。
透過入侵偵測系統之管理程式與本研究所設計的輔助分析程式，能夠以不同面向來分析攻擊的時間特性、攻擊的空間特性、攻擊者與被攻擊的目標之相關特性，藉以瞭解攻擊者的行為特性、攻擊的類型、攻擊的來源、攻擊之目的、攻擊的目標、最後得知攻擊的工具與方式。本研究根據資料分析的結果，發現以下的現象：(1)駭客會對目標系統作持續性或重覆性的攻擊行為；(2)Netbios的相關攻擊是大多數攻擊者最常使用的攻擊方式； (3)駭客的主要攻擊目的是造成目標系統與網路無法正常提供應有的服務；(4)駭客可能會透過某些工具得知目標主機開啟的通訊埠，並且以同樣的方式攻擊Windows與非Windows作業系統的主機。

Abstract
This thesis presents an empirical study of the activities of malicious software, which is referred as any malicious, unauthorized, or unexpected program or code, to help network security specialists to understand the network attacks caused by this kind of software and thus be able to setup appropriate plans to ensure network security.
To get the realistic attack data, we set up a Snort IDS (Intrusion Detection System) outside of a company’s firewall to collect the attack packets coming from Internet. The collecting time period were four months (December of 2004, and March, April and June of 2005). By the management system of IDS and the aided analysis program which was designed for this study, we can analyze the characteristics of attack time, attack source, attack victim. We also can infer the attack tools used by hackers. We found some interesting phenomenon in this study: (1)Hackers would try to attack some target system continuously and repeatedly, (2) netbios attack is the most frequent way that used by hackers, (3)most hackers try to cause the target system and network service unavailable. (4) hackers may use some tools to get the available ports of target system, and use the same way to attack windows and non-windows system.

參考文獻
中文部份
[1] 賽門鐵克, 第七期全球網路安全威脅研究報告（2004年七月至十二月）
http://www.symantec.com/region/tw/press/tw_050322.html
[2] 趨勢科技, 2004網路威脅報告書
http://www.trendmicro.com/tw/about/news/pr/archive/2004/pr041223.htm
[3] 趨勢科技, 駭客出手愈來愈快，電腦安全期所剩不多
http://www.trendmicro.com/tw/about/news/pr/archive/2004/pr040909.htm
[4] 陳鴻吉, 運用異質資訊提升入侵警報正確率,中原大學資訊工程研究所碩士論文,
2004.
http://thesis.lib.cycu.edu.tw/ETD-db/ETD-search-c/getfile?urn=etd-0629104- 171324&filename=9177088.pdf
[5] TWCERT/CC, IDS偵測網路攻擊方法之改進
http://www.cert.org.tw/document/column/show.php?key=85
[6] 資安人科技網, 入侵偵測系統的基本介紹（上）
http://www.informationsecurity.com.tw/feature/print.asp?fid=5
[7] 林秉忠, 網路環境下之系統安全評估, 國立中山大學資訊管理研究所碩士論文, 1998.
http://www.cert.org.tw/document/docfile/paper1.pdf
[8] 林柏宇, 大規模網路安全檢查系統之研究, 樹德科技大學資訊管理研究所碩士論文,
2002.
http://www.cert.org.tw/document/docfile/large scan.pdf
[9] TWCERT/CC, DDoS與 DoS的發展與分類
http://www.cert.org.tw/document/column/show.php?key=88
[10] 游啟勝, 合作式防火牆之設計與應用, 國立中央大學資訊管理所碩士論文, 2003.
http://140.115.80.80/resource/papers/master/92m90423035.pdf
英文部份
[11] Fausi Qattan , Fredrik Thernelius, "Deficiencies in Current Software
Protection Mechanisms and Alternatives for Securing Computer Integrity",
Master thesis, Department of Computer and Systems Sciences Stockholm
University - Royal Institute of Technology, 2004.
http://www.dsv.su.se/research/seclab/pages/pdf-files/04-34.pdf
[12] The Australian High Tech Crime Centre (AHTCC),the Australian Federal
Police (AFP), New South Wales Police, Northern Territory Police,
Queensland Police, South Australia Police, Tasmania Police,Victoria
Police, Western Australia Police and AusCERT, "The Australian Computer
Crime and Security Survey", 2004.
http://www.usq.edu.au/course/material/ CIS3009/module5/2004ACCSS.pdf
[13] http://www.mi2g.com/cgi/mi2g/frameset.php?pageid=http%
3A//www.mi2g.com/cgi/mi2g/press/240804.php
[14] Tobias.Chyssler. "Reducing False Alarm Rates in Intrusion Detection
Systems" , Master thesis No. LITH-IDA-EX-03/067-SE , Linkoping
University, 2003.
http://www.ida.liu.se/~rtslab/publications/ 2004/Chyssler04_DIMVA.pdf
[15] Levent Ertoz, Eric Eilertson, Aleksandar Lazarevic, Pang-Ning Tan, Paul
Dokas, Vipin Kumar, Jaideep Srivastava,"Detection of Novel Network
Attacks Using Data Mining", In ICDM Workshop on Data Mining for Computer
Security (DMSEC), 2003.
http://www.cs.umn.edu/research/minds/papers/raid03.pdf
[16] Cristina Abad, Jed Taylor, Cigdem Sengul, William Yurcik, "Log
Correlation for Intrusion Detection: A Proof of Concept", 19th Annual
Computer Security Applications Conference (ACSAC 2003), IEEE Computer
Society, 2003.
http://www.ncassr.org/projects/sift/papers/ACSAC03.PDF
[17] CERT Coordination Center, "Overview of Attack Trends", 2002.
http://www.cert.org/archive/pdf/attack_trends.pdf
[18] CERT/CC, Vulnerabilities reported：
http://www.cert.org/stats/cert_stats.html
[19] http://www.cert.org/tech_tips/denial_of_service.html
[20] http://www.honeynet.org/papers/bots/
[21] Levent Ertoz , Eric Eilertson , Aleksandar Lazarevic , Pang-Ning Tan ,
Vipin Kumar, Jaideep Srivastava , Paul Dokas, "MINDS - Minnesota
Intrusion Detection System", Next Generation Data Mining, MIT Press, 2003.
http://www.cs.umn.edu/research/minds/papers/minds_chapter.pdf
[22] Cliff Changchun Zou, Lixin Gao, Weibo Gong, Don Towsley, "Monitoring and
Early Warning for Internet Worms", In Proc. of th 10th ACM symposium on
computer and communication security, Washington DC, October 2003.
http://www-unix.ecs.umass.edu/~gong/ papers/monitoringEarlyWarning.pdf
[23] Hyang-Ah Kim, Brad Karp, "Autograph: Toward Automated, Distributed Worm
Signature Detection", In Proceedings of the 14th USENIX Security
Symposium. USENIX, August 2004.
http://www-2.cs.cmu.edu/~hakim/ autograph/autograph-usenixsec2004.pdf
[24] Shigang Chen, Sanjay Ranka, "An Internet-Worm Early Warning System", In
Proceedings of the IEEE Globecom 2004 - Security and Network Management,
volume 4, pages 2261-2265, November 2004.
http://www.cise.ufl.edu/~sgchen/papers/globecom2004_worm.pdf
[25] Marc Dacier, Fabien Pouget, Herve Debar, "Attack Processes found on the
Internet", NATO Research and technology symposium IST-041/RSY-013
"Adaptive Defence in Unclassified Networks", 19 April, 2004.
http://www.eurecom.fr/~pouget/papiers/paper_08_NATO_IST.pdf
[26] Marc Dacier, Fabien Pouget, "Honeypot-based Forensics", AusCERT2004,
AusCERT Asia Pacific Information technology Security Conference, 2004
http://project.honeynet.org/papers/ individual/AusCERT_fullpaper_BIS.pdf
[27] http://www.vmware.com/products/
[28] http://tw2.php.net/manual/en/function.levenshtein.php
[29] Richard C. Daigle, "An analysis of the computer and network attack
taxonomy ", Master thesis , department of the air force air university,
2001.
http://research.airuniv.edu/papers/ ay2001/afit/afit-gir-env-01m-04.pdf
[30] J. D. Howard and T. A. Longstaff., “A common language for computer
security incidents” Technical Report SAND98-8667, Sandia National
Laboratories, October 1998.
http://www.cert.org/research/taxonomy_988667.pdf
[31] http://www.snort.org
[32] http://www.cisco.com/en/US/products/hw/switches/ps607/products_command_
reference_chapter09186a008007e90a.html
[33] http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html
[34] http://sourceforge.net/projects/secureideas/
[35] http://www.securityfocus.com/infocus/1729
[36] Thorsten Holz, "New Fields of Application forHoneynets", Department of
Computer Science Diploma Thesis, August 2005.
http://www.mmweg.rwth-aachen.de/~thorsten.holz/diploma.pdf
[37] Verisign, “Internet Security Intelligence Briefing”, June 2005.
http://www.verisign.com/static/030910.pdf
[38] http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx
[39] David Moore, Colleen Shannon, Jeffery Brown, "Code-Red: a case study on
the spread and victims of an Internet worm", Proceedings of the 2nd ACM
SIGCOMM Workshop on Internet measurment, 2002.
http://www.caida.org/outreach/papers/2002/codered/codered.pdf
[40] http://www.symantec.com/region/tw/techsupp/avcenter/venc/data/tw-w32.
sqlexp.worm.html
[41] http://www.insecure.org/nmap/
[42] http://infosecuritymag.techtarget.com/articles/1999/toolsofthetrade.shtml
[43] http://www.foundstone.com/resources/freetooldownload.htm?
file=superscan4.zip
[44] http://www.eiqnetworks.com/products/firewallreporting.shtml